When macsec exists?

bc569a80a344f9c 18 hours ago | parent | next [-]

No kidding.

Just to elaborate for others, MACSec is a standard (802.1ae) and runs at line rate. Something like a Juniper PTX10008 can run it at 400Gbps, and it’s just a feature you turn on for the port you’d be using for the link you want to protect anyway (PTXs are routers/switches, not security devices).

If I need to provide encryption on a DCI, I’m at least somewhat likely to have gear that can just do this with vendor support instead of needing to slap together some Linux based solution.

Unless, I suppose, there’s various layer 2 domains you’re stitching together with multiple L2 hops and you don’t control the ones in the middle. In which case I’d just get a different link where that isn’t true.

▲

tecleandor 5 hours ago | parent [-]

I have at least one switch that's MACSec compatible at line speed but I haven't had time to take a look. I guess this is confined to LAN and cannot do a MACSec link through the internet, isn't it?

▲

bc569a80a344f9c 3 hours ago | parent [-]

It’s port to port. It protects a link.

	▲	tecleandor 7 minutes ago \| parent [-]
		Thanks!

▲

c0l0 8 hours ago | parent | prev | next [-]

Yeah that would have been great, but it's not available on our existing core switches (Dell PowerSwitch S5200 series).

▲

ur-whale 16 hours ago | parent | prev [-]

> When macsec exists?

When you say "exists" ... is there an OpenSource high-quality implementation ?

	▲	Hikikomori 16 hours ago \| parent [-]
		https://man7.org/linux/man-pages/man8/ip-macsec.8.html Generally its used when you have links going between two of your sites, so you typically only need it on your switch or router that terminate that link.